IV = is the first 16 characters, grab them as ASCII to string and convert by Encoding.UTF8 to bytesKey = Key is calculated from 64-bit library of NativeLibrary.dll, function getCryKey2. Get's one uint argument which in code is passed as MainLoop.key (which is null uint)

EDIT: The file names are casual MD5, nothing muchI'll try to hack into process and grab the key from memory

UPDATE: There's some exception protection as it's throwing them like a crazy when started (may be related to webview of news) so it kind of kills my IDA64, attaching later to process after finishing web activity loading doesn't trigger getCryKey2 anymore (it's only at the semi-beginning to set the AESIV and AESKEY and is not used anymore. I'm still digging. Anyway, I found this:

It has 33 charactersThe managed code gets IntPtr to result of the getCryKey2, treats it via Marshal as ANSI text and splits to IV and key via string.split based on ',' character.meaning, that this may be the secret key:$MEVIUS-PROJECT# - for default IVSQUARE-ENIX-BD1% - for default keyboth have 16 characters, so 128bit, looks fine. Let's see.. @UPDATE

What if they have seen that extracting Final Fantasy IX code was easy so they obfuscated the IL assembly and hid the key in AMD64 (x86-64) DLL? Well, not really the key is hidden. Just let Mobius run and generate the keys, then attach to process, find NativePlugins DLL and getCryKey2 function and jump to byte array at getCryKey2+C. They don't flush the buffer after saving the key to managed Mevius.App.Api.AesKey and Mevius.App.Api.IV

@UPDATE3:Found the dictionary for fileList, the two unknowns in entries are: fileRevision and fileSize

Content categories. First character is first hash name (not the files, it's far more complicated xD)

This is jp version because it has only Japanese servers and assets list encoded to download. Original file has damaged meta-data header (the magic net header I forgot now), it's not really obfuscated, just protected from IL decompiling. Net unpacker doesn't work with this, you have to rip the dll manually or find a way to fix this header.

This is jp version because it has only Japanese servers and assets list encoded to download. Original file has damaged meta-data header (the magic net header I forgot now), it's not really obfuscated, just protected from IL decompiling. Net unpacker doesn't work with this, you have to rip the dll manually or find a way to fix this header.

woah, so that is how it is, i've been messing with the global version and no luck yet.it's always ended up with *Object reference not set to an instance of an object.*thanks for the heads up

On CFF explorer author site I found SNSRemover, a software that removes signature from .NET assembly, maybe they used that?

idk, maybe they did remove it by using that software...it's not really my thing but it does help me understand better about the structure.if it's "BSJB".. i think it could be located by inputting the value of "MetaData RVA" from MetaData Header to address converter on CFF, hmmm, i'll just try it later

uwah, i'm envius that you managed to do it so fast i guess i still have many thing too learn..btw does the global version used the same file with japan version? i can't tell about the content, but the size of dll file is about the same

1. The process reopens a bit after showing SquareEnix logo and works in some sort of protected mode meaning you can't attach debugger to working project2. Dumped Assembly-CSharp.dll from running instance is strange, ILSpy isn't opening it, CE doesn't even detect it in EnumSymbols function and IDA fails to attach (Mobius process) and enumerate images because of the privileges, when AssemblyCs opened in IDA it says, that the image is corrupted and has nothing to show

Tried looking at it via Process Monitors, bur it turns out it's just like any other process, nothing about locked access or anything.

Has anyone met such project that you can't attach to because of the "insufficient privileges" even though the process looks like normal process? Is it possible Mobius creates it's own fake debugger and attaches to himself to prevent any other debugger to step in?

Hey folks... If anyone is playing mobius I'd love to get along with in this journey. I'm playing for a long time now and definitely would need some help. Also with the MP. Add me on steam and send me a message there if you r interested. Thanks.

hey, I'm new here and play mobius ff jp as well. I can export some text assets file from the hash folder in the form of .txt files. Do you know how to open it? It's not the ogg file..the asset name is job ability...I wonder if I can somehow read the content of that text assets. Thanks in advance